From 03b17c4ec516649859ccea48db70d6918225c35e Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 2 Feb 2025 07:01:37 -0800 Subject: [PATCH 1/6] [AUTO-CHERRYPICK] [Medium] Patch mysql to fix CVE-2024-9681 - branch 3.0-dev (#12157) Co-authored-by: jykanase --- SPECS/mysql/CVE-2024-9681.patch | 64 +++++++++++++++++++++++++++++++++ SPECS/mysql/mysql.spec | 6 +++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 SPECS/mysql/CVE-2024-9681.patch diff --git a/SPECS/mysql/CVE-2024-9681.patch b/SPECS/mysql/CVE-2024-9681.patch new file mode 100644 index 00000000000..a1ae05e5153 --- /dev/null +++ b/SPECS/mysql/CVE-2024-9681.patch @@ -0,0 +1,64 @@ +From 4584d3ab388a83e2e0753c69437df975b4a13547 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Sat, 25 Jan 2025 13:44:11 +0000 +Subject: [PATCH] CVE-2024-9681 + +Backported form: https://github.com/curl/curl/commit/a94973805df96269bf +--- + extra/curl/curl-8.9.1/lib/hsts.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/extra/curl/curl-8.9.1/lib/hsts.c b/extra/curl/curl-8.9.1/lib/hsts.c +index 8cd77ae3..6e2599b1 100644 +--- a/extra/curl/curl-8.9.1/lib/hsts.c ++++ b/extra/curl/curl-8.9.1/lib/hsts.c +@@ -249,12 +249,14 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, + struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + bool subdomain) + { ++ struct stsentry *bestsub = NULL; + if(h) { + char buffer[MAX_HSTS_HOSTLEN + 1]; + time_t now = time(NULL); + size_t hlen = strlen(hostname); + struct Curl_llist_element *e; + struct Curl_llist_element *n; ++ size_t blen = 0; + + if((hlen > MAX_HSTS_HOSTLEN) || !hlen) + return NULL; +@@ -279,15 +281,19 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + if(ntail < hlen) { + size_t offs = hlen - ntail; + if((hostname[offs-1] == '.') && +- strncasecompare(&hostname[offs], sts->host, ntail)) +- return sts; ++ strncasecompare(&hostname[offs], sts->host, ntail) && ++ (ntail > blen)) { ++ /* save the tail match with the longest tail */ ++ bestsub = sts; ++ blen = ntail; ++ } + } + } + if(strcasecompare(hostname, sts->host)) + return sts; + } + } +- return NULL; /* no match */ ++ return bestsub; + } + + /* +@@ -439,7 +445,7 @@ static CURLcode hsts_add(struct hsts *h, char *line) + e = Curl_hsts(h, p, subdomain); + if(!e) + result = hsts_create(h, p, subdomain, expires); +- else { ++ else if(strcasecompare(p, e->host)) { + /* the same hostname, use the largest expire time */ + if(expires > e->expires) + e->expires = expires; +-- +2.45.2 + diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec index f16a0212692..a55abebc8ce 100644 --- a/SPECS/mysql/mysql.spec +++ b/SPECS/mysql/mysql.spec @@ -3,7 +3,7 @@ Summary: MySQL. Name: mysql Version: 8.0.40 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2 with exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -15,6 +15,7 @@ Patch0: CVE-2012-5627.nopatch # ciphers unavailable. Patch1: fix-tests-for-unsupported-chacha-ciphers.patch Patch2: CVE-2012-2677.patch +Patch3: CVE-2024-9681.patch BuildRequires: cmake BuildRequires: libtirpc-devel BuildRequires: openssl-devel @@ -108,6 +109,9 @@ sudo -u test make test || { cat Testing/Temporary/LastTest.log; false; } %{_libdir}/pkgconfig/mysqlclient.pc %changelog +* Mon Jan 27 2025 Jyoti Kanase - 8.0.40-5 +- Fix CVE-2024-9681 + * Tue Nov 12 2024 Pawel Winogrodzki - 8.0.40-4 - Patched CVE-2012-2677. From cf04d9bd4a3e77ee96a5213712a524d603b5e071 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 2 Feb 2025 07:18:04 -0800 Subject: [PATCH 2/6] [AUTO-CHERRYPICK] [Medium] Patch ceph to fix CVE-2014-5461 - branch 3.0-dev (#12193) Co-authored-by: Kevin Lockwood <57274670+kevin-b-lockwood@users.noreply.github.com> --- SPECS/ceph/CVE-2012-6708.patch | 28 ++++++++++++++++++++++++++++ SPECS/ceph/CVE-2014-5461.patch | 29 +++++++++++++++++++++++++++++ SPECS/ceph/CVE-2015-9251.patch | 32 ++++++++++++++++++++++++++++++++ SPECS/ceph/CVE-2020-22217.patch | 27 +++++++++++++++++++++++++++ SPECS/ceph/ceph.spec | 16 +++++++++++++--- 5 files changed, 129 insertions(+), 3 deletions(-) create mode 100644 SPECS/ceph/CVE-2012-6708.patch create mode 100644 SPECS/ceph/CVE-2014-5461.patch create mode 100644 SPECS/ceph/CVE-2015-9251.patch create mode 100644 SPECS/ceph/CVE-2020-22217.patch diff --git a/SPECS/ceph/CVE-2012-6708.patch b/SPECS/ceph/CVE-2012-6708.patch new file mode 100644 index 00000000000..1df32083103 --- /dev/null +++ b/SPECS/ceph/CVE-2012-6708.patch @@ -0,0 +1,28 @@ +From c993d7d4b9ddb5d9dcb0c4120f798730aacfff0a Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Mon, 13 Jan 2025 14:53:54 -0800 +Subject: [PATCH] Adjust jQuery('html') detection to only match when html + starts with '<' (not counting space characters). Fixes #11290. + +Source: https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d.patch +--- + qa/workunits/erasure-code/jquery.js | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/qa/workunits/erasure-code/jquery.js b/qa/workunits/erasure-code/jquery.js +index 8c24ffc61..45c208837 100644 +--- a/qa/workunits/erasure-code/jquery.js ++++ b/qa/workunits/erasure-code/jquery.js +@@ -56,7 +56,8 @@ var + + // A simple way to check for HTML strings + // Prioritize #id over to avoid XSS via location.hash (#9521) +- rquickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, ++ // Strict HTML recognition (#11290: must start with <) ++ rquickExpr = /^(?:(<[\w\W]+>)[^>]*|#([\w-]*))$/, + + // Match a standalone tag + rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>|)$/, +-- +2.34.1 + diff --git a/SPECS/ceph/CVE-2014-5461.patch b/SPECS/ceph/CVE-2014-5461.patch new file mode 100644 index 00000000000..779156484c4 --- /dev/null +++ b/SPECS/ceph/CVE-2014-5461.patch @@ -0,0 +1,29 @@ +From 4c6ecee6fcb3c3deead402098c6de1cfd53bb91b Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Tue, 28 Jan 2025 15:47:50 -0800 +Subject: [PATCH] Patch ceph to fix CVE-2014-5461 + +Stack overflow in vararg functions with many fixed parameters called +with few arguments. + +Link: https://www.lua.org/bugs.html#5.2.2-1 +--- + .../3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c b/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c +index d1bf786cb..30333bfa5 100644 +--- a/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c ++++ b/src/jaegertracing/opentelemetry-cpp/third_party/prometheus-cpp/3rdparty/civetweb/src/third_party/lua-5.1.5/src/ldo.c +@@ -274,7 +274,7 @@ int luaD_precall (lua_State *L, StkId func, int nresults) { + CallInfo *ci; + StkId st, base; + Proto *p = cl->p; +- luaD_checkstack(L, p->maxstacksize); ++ luaD_checkstack(L, p->maxstacksize + p->numparams); + func = restorestack(L, funcr); + if (!p->is_vararg) { /* no varargs? */ + base = func + 1; +-- +2.34.1 + diff --git a/SPECS/ceph/CVE-2015-9251.patch b/SPECS/ceph/CVE-2015-9251.patch new file mode 100644 index 00000000000..60617f2777a --- /dev/null +++ b/SPECS/ceph/CVE-2015-9251.patch @@ -0,0 +1,32 @@ +From 124fa2abfde0939c5a7684be1c9f11565888a3a5 Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Tue, 28 Jan 2025 17:30:43 -0800 +Subject: [PATCH] [Medium] Patch ceph to fix CVE-2015-9251 + +Link: https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc.patch +--- + qa/workunits/erasure-code/jquery.js | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/qa/workunits/erasure-code/jquery.js b/qa/workunits/erasure-code/jquery.js +index 8c24ffc61..f4ce660b1 100644 +--- a/qa/workunits/erasure-code/jquery.js ++++ b/qa/workunits/erasure-code/jquery.js +@@ -8245,6 +8245,14 @@ jQuery.ajaxPrefilter( "json jsonp", function( s, originalSettings, jqXHR ) { + return "script"; + } + }); ++ ++// Prevent auto-execution of scripts when no explicit dataType was provided (See gh-2432) ++jQuery.ajaxPrefilter( function( s ) { ++ if ( s.crossDomain ) { ++ s.contents.script = false; ++ } ++} ); ++ + // Install script dataType + jQuery.ajaxSetup({ + accepts: { +-- +2.34.1 + diff --git a/SPECS/ceph/CVE-2020-22217.patch b/SPECS/ceph/CVE-2020-22217.patch new file mode 100644 index 00000000000..62898d5dd23 --- /dev/null +++ b/SPECS/ceph/CVE-2020-22217.patch @@ -0,0 +1,27 @@ +From 97568ddb836a9680c93335a3f8ca0f2c0616ccdc Mon Sep 17 00:00:00 2001 +From: Kevin Lockwood +Date: Mon, 27 Jan 2025 16:19:53 -0800 +Subject: [PATCH] Fix CVE-2020-22217 in c-ares + +Link: https://github.com/c-ares/c-ares/pull/332 +--- + src/c-ares/ares_parse_soa_reply.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/c-ares/ares_parse_soa_reply.c b/src/c-ares/ares_parse_soa_reply.c +index 35af0a75c..5924bbca9 100644 +--- a/src/c-ares/ares_parse_soa_reply.c ++++ b/src/c-ares/ares_parse_soa_reply.c +@@ -65,6 +65,9 @@ ares_parse_soa_reply(const unsigned char *abuf, int alen, + status = ares__expand_name_for_response(aptr, abuf, alen, &qname, &len); + if (status != ARES_SUCCESS) + goto failed_stat; ++ ++ if (alen <= len + HFIXEDSZ + 1) ++ goto failed; + aptr += len; + + /* skip qtype & qclass */ +-- +2.34.1 + diff --git a/SPECS/ceph/ceph.spec b/SPECS/ceph/ceph.spec index 5b6a0045925..21eca3429e8 100644 --- a/SPECS/ceph/ceph.spec +++ b/SPECS/ceph/ceph.spec @@ -1,11 +1,11 @@ #disable debuginfo because ceph-debuginfo rpm is too large %define debug_package %{nil} %define _unpackaged_files_terminate_build 0 - + Summary: User space components of the Ceph file system Name: ceph Version: 18.2.2 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0 URL: https://ceph.io/ Vendor: Microsoft Corporation @@ -14,6 +14,10 @@ Source0: https://download.ceph.com/tarballs/%{name}-%{version}.tar.gz Patch0: 0034-src-pybind-rbd-rbd.pyx.patch Patch1: 0032-cmake-modules-BuildBoost.cmake.patch Patch2: CVE-2024-52338.patch +Patch3: CVE-2014-5461.patch +Patch4: CVE-2020-22217.patch +Patch5: CVE-2015-9251.patch +Patch6: CVE-2012-6708.patch # # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file # at the top-level directory of this distribution and at @@ -895,7 +899,7 @@ This package provides a Ceph hardware monitoring agent. # common ################################################################################# %prep -%autosetup -p1 +%autosetup -p1 %build pwd @@ -2004,6 +2008,12 @@ exit 0 %changelog +* Tue Jan 28 2025 Kevin Lockwood - 18.2.2-4 +- Fix for CVE-2014-5461 +- Fix for CVE-2020-22217 +- Fix for CVE-2015-9251 +- Fix for CVE-2012-6708 + * Tue Jan 01 2025 Sandeep Karambelkar - 18.2.2-3 - Based on the package build logs, opentelemetry-cpp submodule is not being built - Removing opentelemetry-cpp to address below CVEs as this submodule is not relevant From a0afb4f19ea3eb722f1db00d94601e8a472cb08f Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 2 Feb 2025 07:18:46 -0800 Subject: [PATCH 3/6] [AUTO-CHERRYPICK] [Medium] patch hwloc to fix CVE-2022-47022 - branch 3.0-dev (#12194) Co-authored-by: jykanase --- SPECS/hwloc/CVE-2022-47022.patch | 69 ++++++++++++++++++++++++++++++++ SPECS/hwloc/hwloc.spec | 6 ++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 SPECS/hwloc/CVE-2022-47022.patch diff --git a/SPECS/hwloc/CVE-2022-47022.patch b/SPECS/hwloc/CVE-2022-47022.patch new file mode 100644 index 00000000000..9c1e158e8ff --- /dev/null +++ b/SPECS/hwloc/CVE-2022-47022.patch @@ -0,0 +1,69 @@ +From b85436757996b58b805dc4d471ec1cb3c6f56781 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Tue, 28 Jan 2025 12:11:44 +0000 +Subject: [PATCH] CVE-2022-47022 + +Source Link: https://github.com/open-mpi/hwloc/commit/ac1f8db9a0790d2bf153711ff4cbf6101f89aace +--- + hwloc/topology-linux.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/hwloc/topology-linux.c b/hwloc/topology-linux.c +index c7b63d2..fd6745e 100644 +--- a/hwloc/topology-linux.c ++++ b/hwloc/topology-linux.c +@@ -870,6 +870,8 @@ hwloc_linux_set_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused, + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + CPU_ZERO_S(setsize, plinux_set); + hwloc_bitmap_foreach_begin(cpu, hwloc_set) +@@ -950,7 +952,10 @@ hwloc_linux_find_kernel_nr_cpus(hwloc_topology_t topology) + while (1) { + cpu_set_t *set = CPU_ALLOC(nr_cpus); + size_t setsize = CPU_ALLOC_SIZE(nr_cpus); +- int err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */ ++ int err; ++ if (!set) ++ return -1; /* caller will return an error, and we'll try again later */ ++ err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */ + CPU_FREE(set); + nr_cpus = setsize * 8; /* that's the value that was actually tested */ + if (!err) +@@ -978,8 +983,12 @@ hwloc_linux_get_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused, + + /* find the kernel nr_cpus so as to use a large enough cpu_set size */ + kernel_nr_cpus = hwloc_linux_find_kernel_nr_cpus(topology); ++ if (kernel_nr_cpus < 0) ++ return -1; + setsize = CPU_ALLOC_SIZE(kernel_nr_cpus); + plinux_set = CPU_ALLOC(kernel_nr_cpus); ++ if (!plinux_set) ++ return -1; + + err = sched_getaffinity(tid, setsize, plinux_set); + +@@ -1333,6 +1342,8 @@ hwloc_linux_set_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_c + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + CPU_ZERO_S(setsize, plinux_set); + hwloc_bitmap_foreach_begin(cpu, hwloc_set) +@@ -1424,6 +1435,8 @@ hwloc_linux_get_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_b + + setsize = CPU_ALLOC_SIZE(last+1); + plinux_set = CPU_ALLOC(last+1); ++ if (!plinux_set) ++ return -1; + + err = pthread_getaffinity_np(tid, setsize, plinux_set); + if (err) { +-- +2.45.2 + diff --git a/SPECS/hwloc/hwloc.spec b/SPECS/hwloc/hwloc.spec index 4567f169d06..e119a60616d 100644 --- a/SPECS/hwloc/hwloc.spec +++ b/SPECS/hwloc/hwloc.spec @@ -1,12 +1,13 @@ Summary: Portable Hardware Locality - portable abstraction of hierarchical architectures Name: hwloc Version: 2.9.2 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD-2-Clause Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://www.open-mpi.org/projects/hwloc/ Source0: http://www.open-mpi.org/software/hwloc/v2.9/downloads/%{name}-%{version}.tar.bz2 +Patch0: CVE-2022-47022.patch BuildRequires: gcc # C++ only for hwloc-hello-cpp test: BuildRequires: gcc-c++ @@ -167,6 +168,9 @@ LD_LIBRARY_PATH=$PWD/hwloc/.libs make check %{_libdir}/%{name}/hwloc* %changelog +* Wed Jan 29 2025 Jyoti Kanase - 2.9.2-2 +- Fix CVE-2022-47022 + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 2.9.2-1 - Auto-upgrade to 2.9.2 - Azure Linux 3.0 - package upgrades From e8062632121aa5d96ea8053aaae90bf88f53f41f Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 2 Feb 2025 07:19:10 -0800 Subject: [PATCH 4/6] [AUTO-CHERRYPICK] [Medium] patch m2crypto to fix CVE-2019-11358 - branch 3.0-dev (#12195) Co-authored-by: jykanase --- SPECS/m2crypto/CVE-2019-11358.patch | 28 ++++++++++++++++++++++++++++ SPECS/m2crypto/m2crypto.spec | 6 +++++- 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 SPECS/m2crypto/CVE-2019-11358.patch diff --git a/SPECS/m2crypto/CVE-2019-11358.patch b/SPECS/m2crypto/CVE-2019-11358.patch new file mode 100644 index 00000000000..a262ca67af0 --- /dev/null +++ b/SPECS/m2crypto/CVE-2019-11358.patch @@ -0,0 +1,28 @@ +From d3e8292d3c2ac5e78ee4f8cf7ea00241335159b4 Mon Sep 17 00:00:00 2001 +From: jykanase +Date: Wed, 29 Jan 2025 13:46:24 +0000 +Subject: [PATCH] CVE-2019-11358 + +Source Link: https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b +--- + doc/html/_static/jquery-3.2.1.js | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/doc/html/_static/jquery-3.2.1.js b/doc/html/_static/jquery-3.2.1.js +index d2d8ca4..8bbd717 100644 +--- a/doc/html/_static/jquery-3.2.1.js ++++ b/doc/html/_static/jquery-3.2.1.js +@@ -229,8 +229,9 @@ jQuery.extend = jQuery.fn.extend = function() { + src = target[ name ]; + copy = options[ name ]; + ++ // Prevent Object.prototype pollution + // Prevent never-ending loop +- if ( target === copy ) { ++ if ( name === "__proto__" || target === copy ) { + continue; + } + +-- +2.45.2 + diff --git a/SPECS/m2crypto/m2crypto.spec b/SPECS/m2crypto/m2crypto.spec index 376aa09be8e..b8da8793dd1 100644 --- a/SPECS/m2crypto/m2crypto.spec +++ b/SPECS/m2crypto/m2crypto.spec @@ -1,7 +1,7 @@ Summary: Crypto and SSL toolkit for Python Name: m2crypto Version: 0.38.0 -Release: 3%{?dist} +Release: 4%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -10,6 +10,7 @@ URL: https://pypi.python.org/pypi/M2Crypto Source0: https://files.pythonhosted.org/packages/2c/52/c35ec79dd97a8ecf6b2bbd651df528abb47705def774a4a15b99977274e8/M2Crypto-%{version}.tar.gz Patch0: 0001-skip-test_tls1_nok-which-cant-be-run-in-FIPS.patch Patch1: CVE-2020-25657.patch +Patch2: CVE-2019-11358.patch %description M2Crypto is a crypto and SSL toolkit for Python @@ -57,6 +58,9 @@ pip3 install parameterized %{python3_sitelib}/* %changelog +* Wed Jan 29 2025 Jyoti Kanase - 0.38.0-4 +- Fix CVE-2019-11358 + * Tue Aug 16 2022 Muhammad Falak - 0.38.0-3 - Patch CVE-2020-25657 From 68a83100dc02ee400013a6430794d0425dbabde7 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 2 Feb 2025 07:21:23 -0800 Subject: [PATCH 5/6] [AUTO-CHERRYPICK] vitess: Fix CVE-2024-45339 - branch 3.0-dev (#12196) Co-authored-by: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com> --- SPECS/vitess/CVE-2024-45339.patch | 120 ++++++++++++++++++++++++++++++ SPECS/vitess/vitess.spec | 6 +- 2 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 SPECS/vitess/CVE-2024-45339.patch diff --git a/SPECS/vitess/CVE-2024-45339.patch b/SPECS/vitess/CVE-2024-45339.patch new file mode 100644 index 00000000000..8b2ea2fa423 --- /dev/null +++ b/SPECS/vitess/CVE-2024-45339.patch @@ -0,0 +1,120 @@ +From afd4339ec8682b92eb6bcc870d138106ffd5f58d Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Fri, 31 Jan 2025 21:16:51 +0530 +Subject: [PATCH] Patch CVE-2024-45339 + +Reference: https://github.com/golang/glog/pull/74 + +--- + vendor/github.com/golang/glog/glog_file.go | 60 ++++++++++++++++------ + 1 file changed, 44 insertions(+), 16 deletions(-) + +diff --git a/vendor/github.com/golang/glog/glog_file.go b/vendor/github.com/golang/glog/glog_file.go +index e7d125c..6d239fa 100644 +--- a/vendor/github.com/golang/glog/glog_file.go ++++ b/vendor/github.com/golang/glog/glog_file.go +@@ -118,32 +118,53 @@ var onceLogDirs sync.Once + // contains tag ("INFO", "FATAL", etc.) and t. If the file is created + // successfully, create also attempts to update the symlink for that tag, ignoring + // errors. +-func create(tag string, t time.Time) (f *os.File, filename string, err error) { ++func create(tag string, t time.Time, dir string) (f *os.File, filename string, err error) { ++ if dir != "" { ++ f, name, err := createInDir(dir, tag, t) ++ if err == nil { ++ return f, name, err ++ } ++ return nil, "", fmt.Errorf("log: cannot create log: %v", err) ++ } ++ + onceLogDirs.Do(createLogDirs) + if len(logDirs) == 0 { + return nil, "", errors.New("log: no log dirs") + } +- name, link := logName(tag, t) + var lastErr error + for _, dir := range logDirs { +- fname := filepath.Join(dir, name) +- f, err := os.Create(fname) ++ f, name, err := createInDir(dir, tag, t) + if err == nil { +- symlink := filepath.Join(dir, link) +- os.Remove(symlink) // ignore err +- os.Symlink(name, symlink) // ignore err +- if *logLink != "" { +- lsymlink := filepath.Join(*logLink, link) +- os.Remove(lsymlink) // ignore err +- os.Symlink(fname, lsymlink) // ignore err +- } +- return f, fname, nil ++ return f, name, err + } + lastErr = err + } + return nil, "", fmt.Errorf("log: cannot create log: %v", lastErr) + } + ++func createInDir(dir, tag string, t time.Time) (f *os.File, name string, err error) { ++ name, link := logName(tag, t) ++ fname := filepath.Join(dir, name) ++ // O_EXCL is important here, as it prevents a vulnerability. The general idea is that logs often ++ // live in an insecure directory (like /tmp), so an unprivileged attacker could create fname in ++ // advance as a symlink to a file the logging process can access, but the attacker cannot. O_EXCL ++ // fails the open if it already exists, thus prevent our this code from opening the existing file ++ // the attacker points us to. ++ f, err = os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666) ++ if err == nil { ++ symlink := filepath.Join(dir, link) ++ os.Remove(symlink) // ignore err ++ os.Symlink(name, symlink) // ignore err ++ if *logLink != "" { ++ lsymlink := filepath.Join(*logLink, link) ++ os.Remove(lsymlink) // ignore err ++ os.Symlink(fname, lsymlink) // ignore err ++ } ++ return f, fname, nil ++ } ++ return nil, "", err ++} ++ + // flushSyncWriter is the interface satisfied by logging destinations. + type flushSyncWriter interface { + Flush() error +@@ -247,6 +268,7 @@ type syncBuffer struct { + names []string + sev logsink.Severity + nbytes uint64 // The number of bytes written to this file ++ madeAt time.Time + } + + func (sb *syncBuffer) Sync() error { +@@ -254,9 +276,14 @@ func (sb *syncBuffer) Sync() error { + } + + func (sb *syncBuffer) Write(p []byte) (n int, err error) { ++ // Rotate the file if it is too large, but ensure we only do so, ++ // if rotate doesn't create a conflicting filename. + if sb.nbytes+uint64(len(p)) >= MaxSize { +- if err := sb.rotateFile(time.Now()); err != nil { +- return 0, err ++ now := timeNow() ++ if now.After(sb.madeAt.Add(1*time.Second)) || now.Second() != sb.madeAt.Second() { ++ if err := sb.rotateFile(now); err != nil { ++ return 0, err ++ } + } + } + n, err = sb.Writer.Write(p) +@@ -274,7 +301,8 @@ const footer = "\nCONTINUED IN NEXT FILE\n" + func (sb *syncBuffer) rotateFile(now time.Time) error { + var err error + pn := "" +- file, name, err := create(sb.sev.String(), now) ++ file, name, err := create(sb.sev.String(), now, "") ++ sb.madeAt = now + + if sb.file != nil { + // The current log file becomes the previous log at the end of +-- +2.34.1 + diff --git a/SPECS/vitess/vitess.spec b/SPECS/vitess/vitess.spec index a0b950aeeb2..3a637d9aa76 100644 --- a/SPECS/vitess/vitess.spec +++ b/SPECS/vitess/vitess.spec @@ -3,7 +3,7 @@ Name: vitess Version: 19.0.4 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Database clustering system for horizontal scaling of MySQL # Upstream license specification: MIT and Apache-2.0 License: MIT and ASL 2.0 @@ -27,6 +27,7 @@ Source0: %{name}-%{version}.tar.gz # Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2017-14623.patch +Patch1: CVE-2024-45339.patch BuildRequires: golang < 1.23 %description @@ -104,6 +105,9 @@ go check -t go/cmd \ %{_bindir}/* %changelog +* Fri Jan 31 2025 Kavya Sree Kaitepalli -19.0.4-4 +- Patch for CVE-2024-45339 + * Tue Oct 15 2024 Muhammad Falak - 19.0.4-3 - Pin golang version to <= 1.22 From 93c20f2129c6c4b21361719b72ceabb0a690eabb Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Sun, 2 Feb 2025 07:21:47 -0800 Subject: [PATCH 6/6] [AUTO-CHERRYPICK] sriov-network-device-plugin: Fix CVE-2024-45339 - branch 3.0-dev (#12197) Co-authored-by: KavyaSree2610 <92566732+KavyaSree2610@users.noreply.github.com> --- .../CVE-2024-45339.patch | 119 ++++++++++++++++++ .../sriov-network-device-plugin.spec | 6 +- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 SPECS/sriov-network-device-plugin/CVE-2024-45339.patch diff --git a/SPECS/sriov-network-device-plugin/CVE-2024-45339.patch b/SPECS/sriov-network-device-plugin/CVE-2024-45339.patch new file mode 100644 index 00000000000..c5161cf8205 --- /dev/null +++ b/SPECS/sriov-network-device-plugin/CVE-2024-45339.patch @@ -0,0 +1,119 @@ +From afd4339ec8682b92eb6bcc870d138106ffd5f58d Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Fri, 31 Jan 2025 21:16:51 +0530 +Subject: [PATCH] Patch CVE-2024-45339 + +Reference: https://github.com/golang/glog/pull/74 +--- + vendor/github.com/golang/glog/glog_file.go | 60 ++++++++++++++++------ + 1 file changed, 44 insertions(+), 16 deletions(-) + +diff --git a/vendor/github.com/golang/glog/glog_file.go b/vendor/github.com/golang/glog/glog_file.go +index e7d125c..6d239fa 100644 +--- a/vendor/github.com/golang/glog/glog_file.go ++++ b/vendor/github.com/golang/glog/glog_file.go +@@ -118,32 +118,53 @@ var onceLogDirs sync.Once + // contains tag ("INFO", "FATAL", etc.) and t. If the file is created + // successfully, create also attempts to update the symlink for that tag, ignoring + // errors. +-func create(tag string, t time.Time) (f *os.File, filename string, err error) { ++func create(tag string, t time.Time, dir string) (f *os.File, filename string, err error) { ++ if dir != "" { ++ f, name, err := createInDir(dir, tag, t) ++ if err == nil { ++ return f, name, err ++ } ++ return nil, "", fmt.Errorf("log: cannot create log: %v", err) ++ } ++ + onceLogDirs.Do(createLogDirs) + if len(logDirs) == 0 { + return nil, "", errors.New("log: no log dirs") + } +- name, link := logName(tag, t) + var lastErr error + for _, dir := range logDirs { +- fname := filepath.Join(dir, name) +- f, err := os.Create(fname) ++ f, name, err := createInDir(dir, tag, t) + if err == nil { +- symlink := filepath.Join(dir, link) +- os.Remove(symlink) // ignore err +- os.Symlink(name, symlink) // ignore err +- if *logLink != "" { +- lsymlink := filepath.Join(*logLink, link) +- os.Remove(lsymlink) // ignore err +- os.Symlink(fname, lsymlink) // ignore err +- } +- return f, fname, nil ++ return f, name, err + } + lastErr = err + } + return nil, "", fmt.Errorf("log: cannot create log: %v", lastErr) + } + ++func createInDir(dir, tag string, t time.Time) (f *os.File, name string, err error) { ++ name, link := logName(tag, t) ++ fname := filepath.Join(dir, name) ++ // O_EXCL is important here, as it prevents a vulnerability. The general idea is that logs often ++ // live in an insecure directory (like /tmp), so an unprivileged attacker could create fname in ++ // advance as a symlink to a file the logging process can access, but the attacker cannot. O_EXCL ++ // fails the open if it already exists, thus prevent our this code from opening the existing file ++ // the attacker points us to. ++ f, err = os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666) ++ if err == nil { ++ symlink := filepath.Join(dir, link) ++ os.Remove(symlink) // ignore err ++ os.Symlink(name, symlink) // ignore err ++ if *logLink != "" { ++ lsymlink := filepath.Join(*logLink, link) ++ os.Remove(lsymlink) // ignore err ++ os.Symlink(fname, lsymlink) // ignore err ++ } ++ return f, fname, nil ++ } ++ return nil, "", err ++} ++ + // flushSyncWriter is the interface satisfied by logging destinations. + type flushSyncWriter interface { + Flush() error +@@ -247,6 +268,7 @@ type syncBuffer struct { + names []string + sev logsink.Severity + nbytes uint64 // The number of bytes written to this file ++ madeAt time.Time + } + + func (sb *syncBuffer) Sync() error { +@@ -254,9 +276,14 @@ func (sb *syncBuffer) Sync() error { + } + + func (sb *syncBuffer) Write(p []byte) (n int, err error) { ++ // Rotate the file if it is too large, but ensure we only do so, ++ // if rotate doesn't create a conflicting filename. + if sb.nbytes+uint64(len(p)) >= MaxSize { +- if err := sb.rotateFile(time.Now()); err != nil { +- return 0, err ++ now := timeNow() ++ if now.After(sb.madeAt.Add(1*time.Second)) || now.Second() != sb.madeAt.Second() { ++ if err := sb.rotateFile(now); err != nil { ++ return 0, err ++ } + } + } + n, err = sb.Writer.Write(p) +@@ -274,7 +301,8 @@ const footer = "\nCONTINUED IN NEXT FILE\n" + func (sb *syncBuffer) rotateFile(now time.Time) error { + var err error + pn := "" +- file, name, err := create(sb.sev.String(), now) ++ file, name, err := create(sb.sev.String(), now, "") ++ sb.madeAt = now + + if sb.file != nil { + // The current log file becomes the previous log at the end of +-- +2.34.1 + diff --git a/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec b/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec index d350a1f1d72..2487373ea30 100644 --- a/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec +++ b/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec @@ -1,7 +1,7 @@ Summary: Plugin for discovering and advertising networking resources Name: sriov-network-device-plugin Version: 3.7.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ URL: https://github.com/k8snetworkplumbingwg/sriov-network-device-plu Source0: https://github.com/k8snetworkplumbingwg/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2024-45338.patch +Patch1: CVE-2024-45339.patch BuildRequires: golang Requires: gawk Requires: hwdata @@ -38,6 +39,9 @@ install -D -m0755 images/ddptool-1.0.1.12.tar.gz %{buildroot}%{_datadir}/%{name} %{_datadir}/%{name}/ddptool-1.0.1.12.tar.gz %changelog +* Fri Jan 31 2025 Kavya Sree Kaitepalli - 3.7.0-3 +- Patch CVE-2024-45339 + * Tue Dec 31 2024 Rohit Rawat - 3.7.0-2 - Patch CVE-2024-45338